ZTNA HTTPS access proxy example
In this example, an HTTPS access proxy is configured to demonstrate its function as a reverse proxy on behalf of the web server it is protecting. It verifies user identity, device identity, and trust context, before granting access to the protected source.
This example shows access control that allows traffic when the FortiClient endpoint is tagged as Low Importance using Classification tags. This example assumes that the FortiProxy EMS fabric connector is already successfully connected.
|
To configure ZTNA in the GUI, go to System > Feature Visibility and enable Zero Trust Network Access. |
To configure FortiClient EMS to share classification tags:
-
Go to Administration > Fabric Devices.
-
Select the FortiProxy device.
-
Click Edit.
-
Under Tag Types Being Shared, add Classification Tags.
-
Click Save.
To configure a ZTNA server for HTTPS access proxy in the GUI:
-
Go to Policy & Objects > ZTNA and select the ZTNA Servers tab.
-
Click Create New.
-
Set Name to ZTNA-webserver.
-
Set Interface to port3. The IP address and Port fields are automatically set to the IP of the selected interface and the default port of 443.
- Set External IP to 10.1.1.14.
- Set External port to 9443.
Verify that the IP address and port do not conflict with management access to the interface. Otherwise, change the IP address to another address on that subnet.
-
Select the Default certificate. Clients will be presented with this certificate when they connect to the access proxy VIP.
-
Add server mapping:
-
In the Service/server mapping table, click Create New.
-
Set Service to HTTPS.
-
Set Virtual Host to Any Host.
-
Configure the path as needed. For example, to map to webserver.ztnademo.com/fortiproxy, enter /fortiproxy.
-
In the Server section, set Address type to IP.
-
Set IP address to 10.120.1.78.
-
Set Port to 443.
-
Click OK. The server mapping is displayed.
-
-
Click OK.
To configure ZTNA rules to allow traffic based on security posture tags in the GUI:
-
Go to Policy & Objects > ZTNA.
-
Create a ZTNA rule to allow traffic:
-
Click Create New.
-
Set Name to ZTNA-Allow-Simple.
-
Set Incoming Interface to port3.
-
Set Source to all. This can also be set to specific IP addresses to only allow those addresses to connect to this HTTPS access proxy.
-
Add the ZTNA (posture) tag Low.
-
Select the ZTNA server ZTNA-webserver.
-
Configure the remaining options as needed.
-
Click OK.
-
To configure HTTPS access in the CLI:
-
Configure the access proxy VIP:
config firewall vip edit "httpsvip" set type access-proxy set extip 10.1.1.14 set extintf "any" set server-type https set extport 9443 set ssl-certificate "Fortinet_SSL" next end -
Configure the server and path mapping:
config firewall access-proxy edit "httpserver" set vip "httpsvip" config api-gateway edit 1 config realservers edit 1 set ip 10.120.1.78 next end next end next end -
Configure a ZTNA rule:
config firewall policy edit 1 set type access-proxy set uuid 286706fa-55b5-51ef-1b9a-e4ea291bae6a set srcintf "any" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set access-proxy "httpserver" set logtraffic all set logtraffic-start enable set extended-log enable set ssl-ssh-profile "deep-inspection" next end
Testing the remote access to the HTTPS access proxy
After FortiClient EMS and FortiProxy are configured, the HTTPS access proxy remote connection can be tested.
-
On the remote Windows PC, open FortiClient.
-
On the Zero Trust Telemetry tab, make sure that you are connected to the EMS server.
It is not necessary to configure a ZTNA Destination on FortiClient for the HTTPS access proxy use case. In fact, configuring a ZTNA Destination rule for the website may interfere with its operation.
-
Open a browser and enter the address of the server and the access port. When entering the FQDN, make sure that the DNS can resolve the address to the IP address of the FortiProxy. In this example, webserver.ztnademo.com resolves to 10.1.1.14.
-
The browser prompts for the client certificate to use. Select the EMS signed certificate, then click OK.
The certificate is in the User Configuration store, under Personal > Certificates. The details show the SN of the certificate, which matches the record on the FortiClient EMS and the FortiProxy.
-
The client is verified by the FortiProxy to authenticate your identity.
-
The FortiProxy matches your security posture by verifying your security posture tag and matching the corresponding ZTNA rule, and you are allowed access to the web server.
Logs and debugs
# diagnose endpoint record list
Record #1:
IP Address = 10.100.1.33
MAC Address = 00:0c:29:71:39:17
MAC list =
VDOM = root (0)
EMS serial number: FCTEMS8823005021
EMS tenant id: 00000000000000000000000000000000
Client cert SN: 42A4127A22FDB8D98B33CA1F0239BF50ED783B82
Public IP address: 207.102.138.19
Quarantined: no
Online status: online
Registration status: registered
On-net status: on-net
Gateway Interface: port1
FortiClient version: 7.4.0
AVDB version: 1.0
FortiClient app signature version: 28.831
FortiClient vulnerability scan engine version: 3.2
FortiClient UID: 70A5C5FABBE64A9B98B6DDA3FE8AC794
Host Name: DESKTOP-SNBQJ04
OS Type: WIN64
OS Version: Microsoft Windows 10 Professional Edition, 64-bit (build 19045)
Host Description:
Domain:
Last Login User: guodong
Owner:
Host Model: VMware7,1
Host Manufacturer: VMware, Inc.
CPU Model: Intel(R) Xeon(R) CPU E5-2630 v2 @ 2.60GHz
Memory Size: 8190
AV Feature: 1
FW Feature: 1
WF Feature: 1
AS Feature: 0
VS Feature: 1
VN Feature: 1
Last vul message received time: N/A
Last vul scanned time: N/A
Last vul statistic: critical=0, high=0, medium=0, low=0, info=0
Avatar fingerprint: 05b9940c015425a375caafa28096d695be6e9ad2
Avatar source username:
Avatar source email:
Avatar source: OS
Phone number:
Number of Routes: (1)
Gateway Route #0:
- IP:10.100.1.33, MAC: 00:0c:29:71:39:17, VPN: no
- Interface:port1, VFID:0, SN: FPXVULTM24000082
online records: 1; offline records: 0; quarantined records: 0; out-of-sync records: 0
FPXVULTM24000082 # diagnose test application fcnacd 7
ZTNA Cache V2:
Entry #1:
- UID: 70A5C5FABBE64A9B98B6DDA3FE8AC794
- EMS Fabric ID: FCTEMS8823005021:00000000000000000000000000000000
- Domain:
- User: guodong
- Owner:
- Certificate SN: 42A4127A22FDB8D98B33CA1F0239BF50ED783B82
- online: true
- Routes (1):
-- Route #0: IP=10.100.1.33, vfid=0
- FWAddrNames (10):
-- Name (#0): EMS1_ZTNA_disk-en
-- Name (#1): MAC_EMS1_ZTNA_disk-en
-- Name (#2): EMS1_ZTNA_Malicious-File-Detected
-- Name (#3): MAC_EMS1_ZTNA_Malicious-File-Detected
-- Name (#4): EMS1_CLASS_Low
-- Name (#5): MAC_EMS1_CLASS_Low
-- Name (#6): EMS1_ZTNA_all_registered_clients
-- Name (#7): MAC_EMS1_ZTNA_all_registered_clients
-- Name (#8): EMS1_ZTNA_anti-virus-ok
-- Name (#9): MAC_EMS1_ZTNA_anti-virus-ok
lls_idx_mask = 0x00000001,
FPXVULTM24000082 # diagnose wad dev query-by uid 70A5C5FABBE64A9B98B6DDA3FE8AC794 FCTEMS8823005021 00000000000000000000000000000000
Attr of type=0, length=83, value(ascii)=70A5C5FABBE64A9B98B6DDA3FE8AC794
Attr of type=4, length=0, value(ascii)=
Attr of type=6, length=1, value(ascii)=true
Attr of type=5, length=40, value(ascii)=42A4127A22FDB8D98B33CA1F0239BF50ED783B82
Attr of type=3, length=17, value(ascii)=EMS1_ZTNA_disk-en
Attr of type=3, length=21, value(ascii)=MAC_EMS1_ZTNA_disk-en
Attr of type=3, length=33, value(ascii)=EMS1_ZTNA_Malicious-File-Detected
Attr of type=3, length=37, value(ascii)=MAC_EMS1_ZTNA_Malicious-File-Detected
Attr of type=3, length=14, value(ascii)=EMS1_CLASS_Low
Attr of type=3, length=18, value(ascii)=MAC_EMS1_CLASS_Low
Attr of type=3, length=32, value(ascii)=EMS1_ZTNA_all_registered_clients
Attr of type=3, length=36, value(ascii)=MAC_EMS1_ZTNA_all_registered_clients
Attr of type=3, length=23, value(ascii)=EMS1_ZTNA_anti-virus-ok
Attr of type=3, length=27, value(ascii)=MAC_EMS1_ZTNA_anti-virus-ok
Response termination due to no more data
FPXVULTM24000082 # execute log filter category 0
FPXVULTM24000082 # execute log filter field subtype ztna
FPXVULTM24000082 # execute log display
2 logs found.
2 logs returned.
1: date=2024-08-08 time=15:02:00 eventtime=1723154519994707696 tz="-0700" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.100.1.33 srcport=49397 srcintf="port1" srcintfrole="undefined" dstcountry="Reserved" srccountry="Reserved" dstip=10.120.1.78 dstport=443 dstintf="port1" dstintfrole="undefined" sessionid=2061742751 service="HTTPS" proxyapptype="http" proto=6 action="accept" policyid=1 policytype="proxy-policy" poluuid="286706fa-55b5-51ef-1b9a-e4ea291bae6a" trandisp="snat" transip=10.120.1.209 transport=25370 clientip=10.100.1.33 duration=172200 gatewayid=1 vip="httpsvip" accessproxy="httpserver" clientdevicemanageable="manageable" wanin=9606 rcvdbyte=9606 wanout=2047 lanin=2919 sentbyte=2919 lanout=9776 appcat="unscanned" utmaction="allow"
2: date=2024-08-08 time=14:59:04 eventtime=1723154343928534388 tz="-0700" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.100.1.33 srcport=49394 srcintf="port1" srcintfrole="undefined" dstcountry="Reserved" srccountry="Reserved" dstip=10.120.1.78 dstport=443 dstintf="port1" dstintfrole="undefined" sessionid=2061742750 service="HTTPS" proxyapptype="http" proto=6 action="accept" policyid=1 policytype="proxy-policy" poluuid="286706fa-55b5-51ef-1b9a-e4ea291bae6a" trandisp="snat" transip=10.120.1.209 transport=15780 clientip=10.100.1.33 duration=91259 gatewayid=1 vip="httpsvip" accessproxy="httpserver" clientdevicemanageable="manageable" wanin=9609 rcvdbyte=9609 wanout=2047 lanin=2880 sentbyte=2880 lanout=9740 appcat="unscanned" utmaction="allow"